Joining the Security Operations Centre (SOC) team in Cisco Live Melbourne was a new experience for me as a Cisco Technical Marketing Engineer (TME). I mainly watched the SOC in operation in several previous occasions Cisco Live, Black Hat and others and it was enough to watch the excitement from outside, joining them this time was a great experience, and I don’t think watching will fulfill my excitement anymore. I had the role to be part of the Tier1 (Triage) /Tier 2 (Investigator) analyst team looking at incidents at first hand, in this blog I will focus on few points during this experience:

  • Onboarding: Getting onboard, accessing the tools, verifying data, fixing integration
  • Process of Escalation: SOC escalation process
  • Innovation: Develop and implement new integrations, processes, workflows, and automations

Getting onboarded in a SOC for any organisation is a big task, but not with the Cisco SOC team. Getting access to the tools took less than 20 minutes, leveraging the single portal of Duo Directory to login to most of the cloud-based (and even on-prem) portals, XDR, Splunk and others made the onboarding experience quick, easy and straight forward.

The second phase of the Onboarding was to get to know the tools and the process to use when escalating.

  • As a Tier1 / Tier 2 analyst the first screen to look at is Cisco XDR, that will bring incidents from the different data sources including Splunk Core. The incidents are enriched threat intel and findings using either native integrations or customized workflows.
  • Investigating starts within the XDR Interface with the investigate feature and pivots onto public tools or private tools such as VirusTotal (for reputation) or Endace (for network packet investigation and connection analysis) depending on the suspected threat.

The key to this is how easy it was to learn how these tools are leveraged and how fast we got trained in less than an hour on a typical incident response handling and process. From the beginning of the onboarding to the end it took less than one hour and half before we were all set.

Escalation process is very well defined and follow a specific structure and series of actions briefly summarized below:

  • Investigated the incident in XDR, gather the information from all the other tools that provide additional context and visibility.
  • Document the incident and finding in a structured predefined incident document format for management, post it to a monitored Webex team room.
  • Launch an automation workflow in XDR to escalate the incident to the Tier 3 analyst team, who were using Splunk Enterprise Security.

That process is very well defined and structured in a way that makes anyone who walks into the SOC find it easy to fill in the boots of a Tier 1/ Tier2 analyst in no time, but most importantly provide value and be a productive member of this experienced group.

Day 1 at Cisco Live and guess what? Distributed Deniel of Service (DDoS) activity was detected targeting Cisco TV devices connected to Cisco Live network. Who would have thought that will not happen?

  • DDoS activity detected: Finding a DDoS Activity targeting Cisco TV devices
  • Confirmed origin of traffic: investigating the origin and the impact of this DDos
  • Escalation and Remediation: Escalation to NOC and remediation

Detecting DDoS at Cisco Live

Discovered on the first day at Cisco Live, a repetitive number of connections attempts on port 443 for three assets used by Cisco TV.

Looking at the firewall data, all these requests were blocked every few seconds.

Looking further ahead we noticed that the public IPs targeting these systems come from countries all over the world: India, Germany, Bulgaria, Indonesia and many others.

Investigating this further to see if those three internal devices havd any successful connections from outside, from similar IPs. Using Endace, we discovered most of the traffic was DDoS related and only half open connections.

Each one of these IPs had a bad reputation from four or more threat intelligence sources.

We followed the escalation process to identify the impact of such activity. Once we informed the NOC team, we were told that these devices belong to the Cisco TV team.

Cisco TV team made the decision to shut down these devices, and soon after all DoS activity stopped. Happy days!

While my focus in this engagement was to look at the SOC analyst experience using the Cisco and 3rd party tools and find the gaps that we can minimize through feedback to engineering and product enhancements, I experienced first-hand the innovation that this team is always exploring and generating from those engagement by trying the “new” and exploring possibilities to facilitate the SOC work.

My biggest finding in this involvement is how the experience value of this team continues to prevail is not in the tools and not in operating a SOC; but in how they embrace and empower the new SOC members and get them up to a level where they are efficient contributors of this success story, which keeps on repeating and elevating with each step forward.

You can also be a contributing member of a SOC team!

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.

Cisco Security Social Media

LinkedIn
Facebook
Instagram
X





Source link